Date: Fri, 23 Aug 2013 21:23:56 +0300 From: Konstantin Belousov <kostikbel@gmail.com> To: Valeri Galtsev <galtsev@kicp.uchicago.edu> Cc: freebsd-jail@freebsd.org Subject: Re: per user quotas inside jail? Message-ID: <20130823182356.GH4972@kib.kiev.ua> In-Reply-To: <17536.128.135.70.2.1377281124.squirrel@cosmo.uchicago.edu> References: <19176.128.135.70.2.1377267872.squirrel@cosmo.uchicago.edu> <20130823160549.GD4972@kib.kiev.ua> <17536.128.135.70.2.1377281124.squirrel@cosmo.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--N1Yq6DLL3siT9/7n Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 23, 2013 at 01:05:24PM -0500, Valeri Galtsev wrote: > On Fri, August 23, 2013 11:05 am, Konstantin Belousov wrote: > > On Fri, Aug 23, 2013 at 09:24:32AM -0500, Valeri Galtsev wrote: > >> Dear Experts, > >> After searching the web, reading FreeBSD Docs, trying some hacks found= on > >> some discussion boards... I feel it is not easily possible. Yet, as al= ways > >> there may be some expert who knows how to do it: > >> How can one have per user quotas inside jail? > >> Basically, I would like to give users shell access to some server, but > that I prefer to have in jail, where I will mount all filesystems they > need access to... and the only question is: how do I restrict them so > one > >> (or few) user doesn't fill up the whole filesystem. My mind is not mar= ried > >> to any particular filesystem, UFS2, XFS, ZFS... - the only thing I > would > >> stay away from is NFS exporting on host and then NFS mounting in jail > (which may be easiest if not the only way quota wise). > > > > UFS quotas work regardless of jailed/non-jailed user. The only > confusing > > issue is that quotas are per host uid. In other words, if host and jail > user, or two users from different jails has the same uid, you get one > quota setting applied and accounted for them. > > > > Usual mitigation is to ensure that user uids are globally unique. > > >=20 > Thanks, Konstantin. >=20 > Still it doesn't work for me. My system is: >=20 > 9.1-RELEASE-p5 amd64 >=20 > Kernel: the same as GENERIC, with one option added: >=20 > options QUOTA # Add disk quota support >=20 > filesystem with quota enabled is directly mounted (UFS; rw,userquota) into > directory inside jail. User (with the same username and UID) exists on the > host system and in jail. Quotas work on the host system. Quotas don't work > inside jail, so this user can fill up the whole filesystem when logged > into jail (jail accepts ssh connections with different hostname...) >=20 > Apart from that I tried a hack which I lifted from someone's FreeBSD 7 > hack (only the variable name changed since then), namely: >=20 > in kernel, in: >=20 > /usr/src/sys/kern/vfs_syscalls.c >=20 > I kicked out two lines: >=20 > if (!prison_allow(td->td_ucred, PR_ALLOW_QUOTAS)) > return (EPERM); >=20 > (which basically obliterate that if done from inside jail as far as I > understand), >=20 > rebuilt and installed this kernel; in file >=20 > /etc/rc.d/quota >=20 > removed line >=20 > # KEYWORD: nojail >=20 > Yet, I'm still where I was: quotas work outside jail, not inside jail... >=20 > So, I'm at loss. I guess I will have to dive into zfs following Aaron > Kaufman's suggestion... Sigh. UFS quotas work per mount. So if jail root is on a filesystem which has no quotas configured, obviously the thing cannot work. You did not provided any details of your configuration, which makes a diagnostic impossible. --N1Yq6DLL3siT9/7n Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.21 (FreeBSD) iQIcBAEBAgAGBQJSF6i7AAoJEJDCuSvBvK1Bc5kP/iqP8Jt3nzHdr5LTrSO13DBx 1xflrNIQSZCvxijzK9NItjjV7Ze2/7Y4o4J0Uq1jocGnpEGhDBgpKSqnmY0SLPDG RvVBItQvW7VlnB1Uzw7WP1nm5qDtXeTc14oFaHP0AztuRGTxDtRMasVvjlsFsUHm dc9Zrfj4MZx1xjkiX4nglbyxGYLh/F/fr5dW7RomS1ianMa12pTQIuELHUHjLiMx mH3jgqM1JskyEC0cAiemKfzR0WSIB49MDOmo/8DxZz5MCJtiM0A8dpOivGxaXEws bvPGxibOGHue5sur3Tu8aDXqYW7rmcLmvTn4YFKyF2SW45NiOIzJ+IWazFgADifm jd1x+LxEPbej4pAzgtK1TWlrB36GSizYLLKJt2G6oPY7GHf6VTQPeE7M4LvEgsNr zw3/6p8sYrtR4vIX9K1DrOvjDnt1JU1U6TFfwsGq5iU5I5OS14OpYPxAci0kpuTd D7ePUNsP/5NUxvZ1RGGO3JdXjPn1OS/9oj2PEURBK71HNEy46dxgWhNqjozqDknP T5SgHB99qDt/VwDPDP7xmkAihQZ2OrfCAuLFzFOCGP5M+1QYfbJjSq9upuVB/dJN NxmsKI9YBw88mJLApNT2C8mFWCPwJd3nKVtCHWNCj22j03xU8ESqw2q81Mg0sNgJ KCLK5azFMz0NA4kEolwR =v/n9 -----END PGP SIGNATURE----- --N1Yq6DLL3siT9/7n--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130823182356.GH4972>